Not filtered GET, POST, REQUEST data

If you are giving to a session a value from forms make sure to filter all bad charachters.

Here is a live example of a vulnerability:
<?php
session_start();
/* attacker using an evil javascript like:
<script>alert(0)</script>
which will popup a "0"
*/
$string = $_GET['string'];
$_SESSION['string'] = $string;
// printing it out
echo $_SESSION['string'];
?>
What happened here is that GET data are not filterd against Cross Site Scripting(XSS Attacks), think when the data get posted in mysql database and attacker executes sql injection scripts.
Make sure this kind of data is always filtered.

Using session_regenerate_id()

Whats all about this function ??
Well this function is very inportant!

a- When you refresh the page you get a new session id
b- When you close the browser the session gets destroyed
c- It will prevent session stealing

To implement it just simply do:
<?php
session_start();
session_regenerate_id();
?>

Acsepting http only cookies

This is an php.ini function, php.ini explains it as: Whether or not to add the httpOnly flag to the cookie, which makes it inaccessible to browser scripting languages such as JavaScript. for more about it you can read on php.net

Manually expiring sessions

We can use time() to create a session when we last logged in and destroy it after X time.
<?php
session_start();
session_regenerate_id();
// setting ini rule
ini_set('session.cookie_httponly', true);
// record last login
$_SESSION['lastlogin'] = time();
?>
When we nextly access it we do a check for expiration:
<?php
session_start();
session_regenerate_id();
// setting ini rule
ini_set('session.cookie_httponly', true);
// check if session is more old than 20 seconds
if($_SESSION['lastlogin'] > time() - 20){
die("Session expired, please relogin.");
}
?>

Php.ini modifications

We gonna make some modifications on php.ini file.
You can use ctrl+f to search for strings.
session.save_path = "c:/wamp/tmp" (where the sessions will be saved)
session.gc_maxlifetime = 1440 (maximum time session will be alive)
it is good to change this 2 options or more (depending on your needs)

Dont's

It is not a good recomandation to save sessions on a mysql database, it will slow page speed and if data is not filtered things may go bad.

Thanks for reading, I worked alot on writing this tutorial, a bit of share of this post would be nice :D